This article originally appeared in Search Security on September 25, 2018.
Google Chrome sign-in changes are being criticized by experts, and poor communication from Google has led to more confusion about user privacy and consent.
A quiet change to how Google Chrome sign-in works has caused concern over data collection and user privacy, but Google claims the worry is unfounded.
Users recently noticed that Chrome now automatically logs them in and out of the browser with their Google account if they log in or out of a Google web property, like Gmail.
The Chrome sign-in change happened early in September with the release of Chrome version 69, but it came to a head over the weekend.
At first, confusion over what Chrome sign-in at the browser level entailed caused concern, because users thought it meant Google Sync would be turned on and that it would send data to Google without their consent.
However, Adrienne Porter Felt, engineering manager on the Google Chrome team, cleared up this confusion on Twitter.
Porter Felt added that the Chrome sign-in change was meant to ease confusion for users sharing devices and address the need to have one place to sign out from all Google properties and the browser.
Although not specified by Google, Chris Olson, CEO of The Media Trust, based in McLean, Va., said the Chrome sign-in change might have been spurred by GDPR.
“To stay compliant with GDPR and other data privacy laws that have been or will soon be enforced around the world, Google has introduced this measure to prevent users of shared or publicly available devices and machines from inadvertently sharing their information with other users,” Olson wrote via email. “The bottom line is that as data becomes more regulated, companies need to not only stay compliant, but tout the ways they are doing just that not only to avoid any confusion [but] to also show they are good digital citizens and win consumer trust.”
However, experts said there are still privacy concerns with the new Chrome sign-in behavior, even if Google Sync is disabled by default.
Matthew Green, cryptography expert and professor at Johns Hopkins University’s Information Security Institute, wrote in a blog post the problem Google claims to be addressing shouldn’t affect “users who chose not to sign into the browser in the first place.”
“If signed-in users are your problem, why would you make a change that forces unsigned-in users to become signed-in?” Green asked. “For ten years I’ve been asked a single question by the Chrome browser: ‘Do you want to log in with your Google account?’ And for ten years I’ve said no thanks. Chrome still asks me that question — it’s just that now it doesn’t honor my decision.”
When asked for clarification on the subject, a Google spokesperson cited Porter Felt’s tweets, as well as a blog post by Eric Lawrence, former senior software engineer for Google Chrome and current principal program manager for Microsoft Edge.
Lawrence addressed the misconception that Chrome sign-in also meant Google Sync being turned on and praised the changes in terms of security on shared devices. But he also noted the UI in Chrome could be confusing to users. Lawrence said the dialog box asking if users want to enable Sync appears in the same location as the button to save a password and might be clicked by accident.
“If you don’t want Chrome to Sync, just don’t click buttons that offer to enable it,” Lawrence wrote. “Arguably, enabling Sync is now so streamlined that you could conceivably do it by accident (or someone borrowing your PC could do it for you).”
Green added that the Chrome sign-in changes could have “privacy implications even if Sync is off,” because Chrome developers couldn’t give answers regarding the details of how Sync works.
“If I have my browser logged out, then I log in and turn on Sync, does all my past (logged-out) data get pushed to Google? What happens if I’m forced to be logged in, and then subsequently turn on Sync?” Green asked. “Nobody can quite tell me if the data uploaded in these conditions is the same. These differences could really matter.”
Bálint Szilakszi, a system architect based in Vienna, wrote that the Chrome sign-in change violates the “content vs. browser separation layer,” which makes Google services “too deeply integrated and impossible to use in part or isolation.”
“It’s either the entire system or nothing, based on how the question of consent is approached. You would like to use GMail (logged in obviously) but Google search, Youtube, Chrome, etc. without a login? No can do. You selected strict settings in Facebook for your profile data? You’re just an API/permission redesign away from having your choices nullified,” Szilakszi wrote. “Part of me feels that this Chrome shared computer issue that Googlers mentioned is real, but it’s also just too convenient to solve this by [tying] Chrome closer to Google.”